Share via

[AVD] AzureAD Authority URL with GUID TenantID not resolving (HTTP Error 400)

PLPro 71 Reputation points
2021-07-20T17:31:22.337+00:00

Posted at the request of Microsoft support:

When deploying an Azure Virtual Desktop (formerly WVD) Host Pool with AzureAD-only auth, the pool VMs requires the ability to access https://login.microsoftonline.com/<tenantID> and https://login.microsoftonline.com/<tenantID>/sidtoname on the default AzureAD tenant for their authorization flow. However, both URLs fail with a 400 error (both from the AVD VM and when I try to reach them locally from my browser) for my tenantID GUID. I would have assumed that the above URLs are always available for an AzureAD tenant, but clearly something in the tenant configuration is off.

Might someone have thoughts regarding how these endpoints might have been disabled for the AzureAD tenant and how they might be re-enabled?

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,849 questions
Accepted answer
  1. prmanhas-MSFT 17,946 Reputation points Microsoft Employee Moderator
    2021-07-27T05:54:07.417+00:00

    anonymous user Posting as answer as well few more inputs based upon some research.

    Not sure about the URLs but it seems like you might have issues with AVD AAD Join. I followed this documentation and it worked in my lab. Also as mentioned on top of the page this feature is in public preview and hence should not be use in production. Also few feature may or may not work in different environment considering it is still into development and hence won't guarantee that it will be working to its fullest capability in this phase.

    Dean Cefola's video is to the point in setting it up successfully and might be helpful to you.

    Few tips to keep into consideration:

    1) Only works for the pool with validation flag set to to yes.

    2) Dont forget targetisaadjoined:i:1 flag as RDP property. I had to restart host pool VMs to get this setting in to effect

    3) Use latest Windows 10 image as much as possible. There a policy setting "Network security: Allow PKU2U authentication requests to this computer to use online identities" which is disabled in Windows 10 1607 and below which prevents logon if not enabled.

    Hope it helps!!!

    Please "Accept as Answer" if it helped so it can help others in community looing for help on similar topics.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.